https://bz.apache.org/bugzilla/show_bug.cgi?id=62232
--- Comment #14 from Rainer Jung <[email protected]> --- Pretty simple reproduction scenario. I used OpenSSL 1.0.2n: Loaded modules: LoadModule mpm_event_module modules/mod_mpm_event.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule log_config_module modules/mod_log_config.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule ssl_module modules/mod_ssl.so LoadModule unixd_module modules/mod_unixd.so httpd.conf default (except for LogLevel trace8) and includes: Define APACHE_BASE /path/to/my/apache/instance # Taken from the default conf/extra/httpd-ssl.conf SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES SSLHonorCipherOrder on SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:${APACHE_BASE}/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 Listen *:9543 <VirtualHost *:9543> SSLEngine on SSLCertificateFile "${APACHE_BASE}/conf/server.crt" SSLCertificateKeyFile "${APACHE_BASE}/conf/server.key" SSLCACertificateFile "${APACHE_BASE}/conf/ca-bundle.crt" SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerName off <Location "/"> SSLOptions StdEnvVars </Location> ProxyPass /test https://localhost:9544 </VirtualHost> Listen *:9544 <VirtualHost *:9544> SSLEngine on SSLCertificateFile "${APACHE_BASE}/conf/server.crt" SSLCertificateKeyFile "${APACHE_BASE}/conf/server.key" SSLCACertificateFile "${APACHE_BASE}/conf/ca-bundle.crt" </VirtualHost> And to strenghten Mark's last comment: as soon as I add any mod_ssl directive (which is allowed in directory context) to the Location section, I see the same error messages as Mark. I have chosen above SSLOptions , because it is simpler then SSLRequire and also allowed in the VirtualHost directly. If I put the SSLOptions instead into the VirtualHost or a <Proxy> section, the problem vanishes. So we have a problem with per directory ssl config creation and merging, maybe only for proxy. For the sake of completeness here again the error log lines (return code is 502 Bad Gateway): [Sat Mar 31 23:35:07.771391 2018] [proxy:debug] [pid 6276:tid 6] mod_proxy.c(1239): [client 127.0.0.1:45669] AH01143: Running scheme https handler (attempt 0) [Sat Mar 31 23:35:07.771436 2018] [proxy_http:trace1] [pid 6276:tid 6] mod_proxy_http.c(1904): [client 127.0.0.1:45669] HTTP: serving URL https://localhost:9544/ [Sat Mar 31 23:35:07.771472 2018] [proxy:debug] [pid 6276:tid 6] proxy_util.c(2162): AH00942: HTTPS: has acquired connection for (localhost) [Sat Mar 31 23:35:07.771519 2018] [proxy:debug] [pid 6276:tid 6] proxy_util.c(2215): [client 127.0.0.1:45669] AH00944: connecting https://localhost:9544/ to localhost:9544 [Sat Mar 31 23:35:07.772590 2018] [proxy:debug] [pid 6276:tid 6] proxy_util.c(2424): [client 127.0.0.1:45669] AH00947: connected / to localhost:9544 [Sat Mar 31 23:35:07.772759 2018] [proxy:trace2] [pid 6276:tid 6] proxy_util.c(2859): HTTPS: fam 2 socket created to connect to localhost [Sat Mar 31 23:35:07.773036 2018] [proxy:debug] [pid 6276:tid 6] proxy_util.c(2893): AH02824: HTTPS: connection established with 127.0.0.1:9544 (localhost) [Sat Mar 31 23:35:07.773559 2018] [proxy:debug] [pid 6276:tid 6] proxy_util.c(3061): AH00962: HTTPS: connection complete to 127.0.0.1:9544 (localhost) [Sat Mar 31 23:35:07.773603 2018] [ssl:info] [pid 6276:tid 6] [remote 127.0.0.1:9544] AH01964: Connection to child 0 established (server 195.227.30.235:9543) [Sat Mar 31 23:35:07.773694 2018] [ssl:trace2] [pid 6276:tid 6] ssl_engine_rand.c(126): Proxy: Seeding PRNG with 136 bytes of entropy [Sat Mar 31 23:35:07.773729 2018] [ssl:error] [pid 6276:tid 6] [remote 127.0.0.1:9544] AH01962: Unable to create a new SSL connection from the SSL context [Sat Mar 31 23:35:07.773764 2018] [ssl:info] [pid 6277:tid 27] [client 127.0.0.1:45670] AH01964: Connection to child 152 established (server 195.227.30.235:9544) [Sat Mar 31 23:35:07.773904 2018] [ssl:error] [pid 6276:tid 6] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [Sat Mar 31 23:35:07.774067 2018] [proxy:error] [pid 6276:tid 6] (130)Software caused connection abort: [client 127.0.0.1:45669] AH01084: pass request body failed to 127.0.0.1:9544 (localhost) Without the SSL config in Location it looks like this: [Sat Mar 31 23:34:47.244356 2018] [proxy:debug] [pid 6260:tid 11] mod_proxy.c(1239): [client 127.0.0.1:45665] AH01143: Running scheme https handler (attempt 0) [Sat Mar 31 23:34:47.244400 2018] [proxy_http:trace1] [pid 6260:tid 11] mod_proxy_http.c(1904): [client 127.0.0.1:45665] HTTP: serving URL https://localhost:9544/ [Sat Mar 31 23:34:47.244491 2018] [proxy:debug] [pid 6260:tid 11] proxy_util.c(2162): AH00942: HTTPS: has acquired connection for (localhost) [Sat Mar 31 23:34:47.244546 2018] [proxy:debug] [pid 6260:tid 11] proxy_util.c(2215): [client 127.0.0.1:45665] AH00944: connecting https://localhost:9544/ to localhost:9544 [Sat Mar 31 23:34:47.245610 2018] [proxy:debug] [pid 6260:tid 11] proxy_util.c(2424): [client 127.0.0.1:45665] AH00947: connected / to localhost:9544 [Sat Mar 31 23:34:47.245777 2018] [proxy:trace2] [pid 6260:tid 11] proxy_util.c(2859): HTTPS: fam 2 socket created to connect to localhost [Sat Mar 31 23:34:47.246066 2018] [proxy:debug] [pid 6260:tid 11] proxy_util.c(2893): AH02824: HTTPS: connection established with 127.0.0.1:9544 (localhost) [Sat Mar 31 23:34:47.246612 2018] [proxy:debug] [pid 6260:tid 11] proxy_util.c(3061): AH00962: HTTPS: connection complete to 127.0.0.1:9544 (localhost) [Sat Mar 31 23:34:47.246698 2018] [ssl:info] [pid 6260:tid 11] [remote 127.0.0.1:9544] AH01964: Connection to child 0 established (server 195.227.30.235:9543) [Sat Mar 31 23:34:47.246727 2018] [ssl:info] [pid 6261:tid 27] [client 127.0.0.1:45666] AH01964: Connection to child 152 established (server 195.227.30.235:9544) [Sat Mar 31 23:34:47.246801 2018] [ssl:trace2] [pid 6260:tid 11] ssl_engine_rand.c(126): Proxy: Seeding PRNG with 136 bytes of entropy [Sat Mar 31 23:34:47.247137 2018] [ssl:trace4] [pid 6260:tid 11] ssl_engine_io.c(1658): [remote 127.0.0.1:9544] coalesce: have 0 bytes, adding 200 more [Sat Mar 31 23:34:47.247181 2018] [ssl:trace4] [pid 6260:tid 11] ssl_engine_io.c(1718): [remote 127.0.0.1:9544] coalesce: passing on 200 bytes [Sat Mar 31 23:34:47.247216 2018] [ssl:trace3] [pid 6260:tid 11] ssl_engine_io.c(1230): [remote 127.0.0.1:9544] SNI extension for SSL Proxy request set to 'localhost' [Sat Mar 31 23:34:47.247212 2018] [ssl:trace2] [pid 6261:tid 27] ssl_engine_rand.c(126): Server: Seeding PRNG with 136 bytes of entropy [Sat Mar 31 23:34:47.247282 2018] [ssl:trace3] [pid 6260:tid 11] ssl_engine_kernel.c(2016): [remote 127.0.0.1:9544] OpenSSL: Handshake: start ... -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
